1 files changed, 37 insertions, 29 deletions
diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
index 48f51f5d03..a86413fbad 100644
--- a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
+++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
@@ -1,14 +1,16 @@
-From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001
+From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001
 From: Christian Schoenebeck <qemu_oss@crudebyte.com>
-Date: Wed Jun 7 18:29:33 2023 +0200
+Date: Wed, 7 Jun 2023 18:29:33 +0200
-Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p
+Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)
- protocol does not specifically define how server shall behave when client
- tries to open a special file, however from security POV it does make sense
+The 9p protocol does not specifically define how server shall behave when
- for 9p server to prohibit opening any special file on host side in general. A
+client tries to open a special file, however from security POV it does
- sane Linux 9p client for instance would never attempt to open a special file
+make sense for 9p server to prohibit opening any special file on host side
- on host side, it would always handle those exclusively on its guest side. A
+in general. A sane Linux 9p client for instance would never attempt to
- malicious client however could potentially escape from the exported 9p tree
+open a special file on host side, it would always handle those exclusively
- by creating and opening a device file on host side.
+on its guest side. A malicious client however could potentially escape
+from the exported 9p tree by creating and opening a device file on host
+side.
 With QEMU this could only be exploited in the following unsafe setups:
@@ -32,19 +34,16 @@ Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
 Reviewed-by: Greg Kurz <groug@kaod.org>
 Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
 Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
-(cherry picked from commit f6b0de5)
-Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
-(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)
-Upstream-Status: Backport [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
+Upstream-Status: Backport from [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
 CVE: CVE-2023-2861
 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
 ---
- fsdev/virtfs-proxy-helper.c | 27 ++++++++++++++++++++++++--
+ fsdev/virtfs-proxy-helper.c | 27 +++++++++++++++++++++++--
- hw/9pfs/9p-util.h           | 38 +++++++++++++++++++++++++++++++++++++
+ hw/9pfs/9p-util.h           | 40 +++++++++++++++++++++++++++++++++++++
- 2 files changed, 63 insertions(+), 2 deletions(-)
+ 2 files changed, 65 insertions(+), 2 deletions(-)
 diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
 index 15c0e79b0..f9e4669a5 100644
@@ -56,12 +55,12 @@ index 15c0e79b0..f9e4669a5 100644
 #include "hw/9pfs/9p-proxy.h"
 +#include "hw/9pfs/9p-util.h"
 #include "fsdev/9p-iov-marshal.h"
+ 
 #define PROGNAME "virtfs-proxy-helper"
 @@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
     }
 }
+ 
 +/*
 + * Open regular file or directory. Attempts to open any special file are
 + * rejected.
@@ -106,22 +105,30 @@ index 15c0e79b0..f9e4669a5 100644
         ret = -errno;
     }
 diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
-index 546f46dc7..54e270ac6 100644
+index 546f46dc7..23000e917 100644
 --- a/hw/9pfs/9p-util.h
 +++ b/hw/9pfs/9p-util.h
-@@ -13,6 +13,8 @@
+@@ -13,12 +13,16 @@
 #ifndef QEMU_9P_UTIL_H
 #define QEMU_9P_UTIL_H
+ 
 +#include "qemu/error-report.h"
 +
 #ifdef O_PATH
 #define O_PATH_9P_UTIL O_PATH
 #else
-@@ -26,6 +28,38 @@ static inline void close_preserve_errno(int fd)
+ #define O_PATH_9P_UTIL 0
+ #endif
+ 
+#define qemu_fstat      fstat
+
+ static inline void close_preserve_errno(int fd)
+ {
+     int serrno = errno;
+@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd)
     errno = serrno;
 }
+ 
 +/**
 + * close_if_special_file() - Close @fd if neither regular file nor directory.
 + *
@@ -157,10 +164,10 @@ index 546f46dc7..54e270ac6 100644
 static inline int openat_dir(int dirfd, const char *name)
 {
     return openat(dirfd, name,
-@@ -56,6 +90,10 @@ again:
+@@ -56,6 +92,10 @@ again:
         return -1;
     }
+ 
 +    if (close_if_special_file(fd) < 0) {
 +        return -1;
 +    }
@@ -168,5 +175,6 @@ index 546f46dc7..54e270ac6 100644
     serrno = errno;
     /* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
      * do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
--
+-- 
-2.40.0
+2.35.7

diff --git a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch index 48f51f5d03..a86413fbad 100644 --- a/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch +++ b/meta/recipes-devtools/qemu/qemu/CVE-2023-2861.patch
@@ -1,14 +1,16 @@
1	From 10fad73a2bf1c76c8aa9d6322755e5f877d83ce5 Mon Sep 17 00:00:00 2001	1	From f6b0de53fb87ddefed348a39284c8e2f28dc4eda Mon Sep 17 00:00:00 2001
2	From: Christian Schoenebeck <qemu_oss@crudebyte.com>	2	From: Christian Schoenebeck <qemu_oss@crudebyte.com>
3	Date: Wed Jun 7 18:29:33 2023 +0200	3	Date: Wed, 7 Jun 2023 18:29:33 +0200
4	Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861) The 9p	4	Subject: [PATCH] 9pfs: prevent opening special files (CVE-2023-2861)
5	protocol does not specifically define how server shall behave when client	5
6	tries to open a special file, however from security POV it does make sense	6	The 9p protocol does not specifically define how server shall behave when
7	for 9p server to prohibit opening any special file on host side in general. A	7	client tries to open a special file, however from security POV it does
8	sane Linux 9p client for instance would never attempt to open a special file	8	make sense for 9p server to prohibit opening any special file on host side
9	on host side, it would always handle those exclusively on its guest side. A	9	in general. A sane Linux 9p client for instance would never attempt to
10	malicious client however could potentially escape from the exported 9p tree	10	open a special file on host side, it would always handle those exclusively
11	by creating and opening a device file on host side.	11	on its guest side. A malicious client however could potentially escape
		12	from the exported 9p tree by creating and opening a device file on host
		13	side.
12		14
13	With QEMU this could only be exploited in the following unsafe setups:	15	With QEMU this could only be exploited in the following unsafe setups:
14		16
@@ -32,19 +34,16 @@ Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
32	Reviewed-by: Greg Kurz <groug@kaod.org>	34	Reviewed-by: Greg Kurz <groug@kaod.org>
33	Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>	35	Reviewed-by: Michael Tokarev <mjt@tls.msk.ru>
34	Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>	36	Message-Id: <E1q6w7r-0000Q0-NM@lizzy.crudebyte.com>
35	(cherry picked from commit f6b0de5)
36	Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
37	(Mjt: drop adding qemu_fstat wrapper for 7.2 where wrappers aren't used)
38
39	Upstream-Status: Backport [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
40		37
		38	Upstream-Status: Backport from [https://github.com/qemu/qemu/commit/10fad73a2bf1c76c8aa9d6322755e5f877d83ce5]
41	CVE: CVE-2023-2861	39	CVE: CVE-2023-2861
42		40
43	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>	41	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		42	Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
44	---	43	---
45	fsdev/virtfs-proxy-helper.c \| 27 ++++++++++++++++++++++++--	44	fsdev/virtfs-proxy-helper.c \| 27 +++++++++++++++++++++++--
46	hw/9pfs/9p-util.h \| 38 +++++++++++++++++++++++++++++++++++++	45	hw/9pfs/9p-util.h \| 40 +++++++++++++++++++++++++++++++++++++
47	2 files changed, 63 insertions(+), 2 deletions(-)	46	2 files changed, 65 insertions(+), 2 deletions(-)
48		47
49	diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c	48	diff --git a/fsdev/virtfs-proxy-helper.c b/fsdev/virtfs-proxy-helper.c
50	index 15c0e79b0..f9e4669a5 100644	49	index 15c0e79b0..f9e4669a5 100644
@@ -56,12 +55,12 @@ index 15c0e79b0..f9e4669a5 100644
56	#include "hw/9pfs/9p-proxy.h"	55	#include "hw/9pfs/9p-proxy.h"
57	+#include "hw/9pfs/9p-util.h"	56	+#include "hw/9pfs/9p-util.h"
58	#include "fsdev/9p-iov-marshal.h"	57	#include "fsdev/9p-iov-marshal.h"
59		58
60	#define PROGNAME "virtfs-proxy-helper"	59	#define PROGNAME "virtfs-proxy-helper"
61	@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)	60	@@ -338,6 +339,28 @@ static void resetugid(int suid, int sgid)
62	}	61	}
63	}	62	}
64		63
65	+/*	64	+/*
66	+ * Open regular file or directory. Attempts to open any special file are	65	+ * Open regular file or directory. Attempts to open any special file are
67	+ * rejected.	66	+ * rejected.
@@ -106,22 +105,30 @@ index 15c0e79b0..f9e4669a5 100644
106	ret = -errno;	105	ret = -errno;
107	}	106	}
108	diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h	107	diff --git a/hw/9pfs/9p-util.h b/hw/9pfs/9p-util.h
109	index 546f46dc7..54e270ac6 100644	108	index 546f46dc7..23000e917 100644
110	--- a/hw/9pfs/9p-util.h	109	--- a/hw/9pfs/9p-util.h
111	+++ b/hw/9pfs/9p-util.h	110	+++ b/hw/9pfs/9p-util.h
112	@@ -13,6 +13,8 @@	111	@@ -13,12 +13,16 @@
113	#ifndef QEMU_9P_UTIL_H	112	#ifndef QEMU_9P_UTIL_H
114	#define QEMU_9P_UTIL_H	113	#define QEMU_9P_UTIL_H
115		114
116	+#include "qemu/error-report.h"	115	+#include "qemu/error-report.h"
117	+	116	+
118	#ifdef O_PATH	117	#ifdef O_PATH
119	#define O_PATH_9P_UTIL O_PATH	118	#define O_PATH_9P_UTIL O_PATH
120	#else	119	#else
121	@@ -26,6 +28,38 @@ static inline void close_preserve_errno(int fd)	120	#define O_PATH_9P_UTIL 0
		121	#endif
		122
		123	+#define qemu_fstat fstat
		124	+
		125	static inline void close_preserve_errno(int fd)
		126	{
		127	int serrno = errno;
		128	@@ -26,6 +30,38 @@ static inline void close_preserve_errno(int fd)
122	errno = serrno;	129	errno = serrno;
123	}	130	}
124		131
125	+/**	132	+/**
126	+ * close_if_special_file() - Close @fd if neither regular file nor directory.	133	+ * close_if_special_file() - Close @fd if neither regular file nor directory.
127	+ *	134	+ *
@@ -157,10 +164,10 @@ index 546f46dc7..54e270ac6 100644
157	static inline int openat_dir(int dirfd, const char *name)	164	static inline int openat_dir(int dirfd, const char *name)
158	{	165	{
159	return openat(dirfd, name,	166	return openat(dirfd, name,
160	@@ -56,6 +90,10 @@ again:	167	@@ -56,6 +92,10 @@ again:
161	return -1;	168	return -1;
162	}	169	}
163		170
164	+ if (close_if_special_file(fd) < 0) {	171	+ if (close_if_special_file(fd) < 0) {
165	+ return -1;	172	+ return -1;
166	+ }	173	+ }
@@ -168,5 +175,6 @@ index 546f46dc7..54e270ac6 100644
168	serrno = errno;	175	serrno = errno;
169	/* O_NONBLOCK was only needed to open the file. Let's drop it. We don't	176	/* O_NONBLOCK was only needed to open the file. Let's drop it. We don't
170	* do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()	177	* do that with O_PATH since fcntl(F_SETFL) isn't supported, and openat()
171	--	178	--
172	2.40.0	179	2.35.7
		180